Emergency Medical Treatment and Active Labor Act (EMTALA) AUDIT GUIDE

Emergency Medical Treatment and Active Labor Act (EMTALA) AUDIT GUIDE Audit Criteria Audit Date: June 2010 Review: Review policy and procedures for emergency room services. Review of the transfer documentation, medical screening examination and stabilization policy and procedures. Review of the on-call coverage lists and policy. Review of the central log. Review of the signage requirements. Review of medical records Review of EMTALA related policies and procedures to monitor compliance with all applicable laws, regulations and program guidelines. Claim Sampling: To complete this section, the auditor will be required to review the following claims. Selected 25 patient accounts from the central log of each facility. To complete this section, the auditor must complete each of the reviews indicated below. 1. Is the patient on the central log? The provider agrees, in the case of a hospital as defined in 489.24(b) (including both the transferring and receiving hospitals), to maintain a central log on each individual who comes to the emergency department, as defined in 489.24(b), seeking assistance and whether he or she refused treatment, was refused treatment, or whether he or she was transferred, admitted and treated, stabilized and transferred, or discharged 42 CFR, 489.20. Enter Y if the patient is on the central log. Enter N if the is the patient is not on the central log. Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 2. Is there a disposition on the central log? The provider agrees, in the case of a hospital as defined in 489.24(b) (including both the transferring and receiving hospitals), to maintain a central log on each individual who comes to the emergency department, as defined in 489.24(b), seeking assistance and 1 EMTALA Audit Guide

Emergency Medical Treatment and Active Labor Act (EMTALA) whether he or she refused treatment, was refused treatment, or whether he or she was transferred, admitted and treated, stabilized and transferred, or discharged 42 CFR, 489.20. Enter Y if there is a disposition on the central log. Enter N if there is not a disposition on the central log. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 3. Does the discharge disposition on the central log match the medical record documentation? The provider agrees, in the case of a hospital as defined in 489.24(b), (including both the transferring and receiving hospitals), to maintain medical and other records related to individuals transferred to or from the hospital for a period of 5 years from the date of the transfer 42 CFR 489.20. The provider agrees, in the case of a hospital as defined in 489.24(b) (including both the transferring and receiving hospitals), to maintain a central log on each individual who comes to the emergency department, as defined in 489.24(b), seeking assistance and whether he or she refused treatment, was refused treatment, or whether he or she was transferred, admitted and treated, stabilized and transferred, or discharged 42 CFR, 489.20. The hospital must provide an appropriate medical screening examination within the capability of the hospital's emergency department, including ancillary services routinely available to the emergency department, to determine whether or not an emergency medical condition exists. The examination must be conducted by an individual(s) who is determined qualified by hospital bylaws or rules and regulations and who meets the requirements of 482.55 of this chapter concerning emergency services personnel and direction 42 CFR 489.24. Enter Y if the discharge disposition matches the medical record documentation. Enter N if the discharge disposition does not match the medical record documentation. Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 4. Was there a medical screening examination (MSE) performed by a qualified medical provider to determine if the patient has an emergency medical condition (EMC)? 2 EMTALA Audit Guide

Emergency Medical Treatment and Active Labor Act (EMTALA) In the case of a hospital that has an emergency department, if an individual (whether or not eligible for Medicare benefits and regardless of ability to pay) "comes to the emergency department", the hospital must provide an appropriate medical screening examination within the capability of the hospital's emergency department, including ancillary services routinely available to the emergency department, to determine whether or not an emergency medical condition exists. The examination must be conducted by an individual(s) who is determined qualified by hospital bylaws or rules and regulations and who meets the requirements of 482.55 of this chapter concerning emergency services personnel and direction. If an emergency medical condition is determined to exist, the hospital must provide any necessary stabilizing treatment, or an appropriate transfer. If the hospital admits the individual as an inpatient for further treatment, the hospital's obligation under this section ends 42 CFR 489.24.. Enter Y if there is documentation of a MSE performed by a qualified medical provider. Enter N if there is not documentation of a MSE performed by a qualified medical provider. Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 5. If an emergency medical condition (EMC) exists, was the patient stabilized? If an emergency medical condition is determined to exist, the hospital must provide any necessary stabilizing treatment, or an appropriate transfer. If the hospital admits the individual as an inpatient for further treatment, the hospital's obligation under this section ends 42 CFR 489.24. If an individual at a hospital has an emergency medical condition that has not been stabilized, the hospital may not transfer the individual unless the transfer is an appropriate transfer; and the individual (or a legally responsible person acting on the individual's behalf) requests the transfer, after being informed of the hospital's obligations under this section and of the risk of transfer 42 CFR 489.24. The provider agrees, in the case of a hospital as defined in 489.24(b), to report to CMS or the State survey agency any time it has reason to believe it may have received an individual who has been transferred in an unstable emergency medical condition from another hospital in violation of the requirements of 489.24 42 CFR 489.24.. Enter Y if an emergency medical condition existed and the patient was stabilized. Enter N if an emergency medical condition existed and the patient was not stabilized. Enter N/A if issue is not applicable to the review. 3 EMTALA Audit Guide

Emergency Medical Treatment and Active Labor Act (EMTALA) Comments Enter any specific concerns, issues, or findings related to the question in the comment field 6. Is there certification by the physician that the benefits outweigh the risks of transfer? A physician (within the meaning of section Federal Register 1861, (r), (1) of the Act) has signed a certification that, based upon the information available at the time of transfer, the medical benefits reasonably expected from the provision of appropriate medical treatment at another medical facility outweigh the increased risks to the individual or, in the case of a woman in labor, to the woman or the unborn child, from being transferred. The certification must contain a summary of the risks and benefits upon which it is based. Or, if a physician is not physically present in the emergency department at the time an individual is transferred, a qualified medical person (as determined by the hospital in its bylaws or rules and regulations) has signed a certification after a physician as defined in section 1861, (r), (1) of the Act in consultation with the qualified medical person, agrees with the certification and subsequently countersigns the certification. The certification must contain a summary of the risks and benefits upon which it is based 42 CFR 489.24.. Enter Y if there is certification by the physician that the benefits outweigh the risks of transfer. Enter N if there is not a certification by the physician that the benefits outweigh the risks of transfer. Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 7. Did the patient or legal representative consent to the transfer? The hospital must take all reasonable steps to secure the individual's written informed refusal (or that of a person acting on his or her behalf). The written document must indicate the person has been informed of the risks and benefits of the transfer and state the reasons for the individual's refusal. The medical record must contain a description of the proposed transfer that was refused by or on behalf of the individual 42 CFR 489.24. Enter Y if the patient or legal representative consented to the transfer. Enter N if the patient or legal representative did not content to the transfer. 4 EMTALA Audit Guide

Emergency Medical Treatment and Active Labor Act (EMTALA) Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 8. Is there documented communication with the receiving hospital and physician to accept the transfer of the patient? A transfer to another medical facility will be appropriate only in those cases in which the transferring hospital provides medical treatment within its capacity that minimizes the risks to the individual's health and, in the case of a woman in labor, the health of the unborn child and the receiving facility has available space and qualified personnel for the treatment of the individual and has agreed to accept transfer of the individual and to provide appropriate medical treatment 42 CFR 489.24. Enter Y if there is documented communication with the receiving hospital and physician to accept the transfer of the patient. Enter N there is not documented communication with the receiving hospital and physician to accept the transfer of the patient. Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 9. Were copies of the medical record documentation sent with the patient to the receiving hospital? The transferring hospital sends to the receiving facility all medical records (or copies thereof) related to the emergency condition which the individual has presented that are available at the time of the transfer, including available history, records related to the individual's emergency medical condition, observations of signs or symptoms, preliminary diagnosis, results of diagnostic studies or telephone reports of the studies, treatment provided, results of any tests and the informed written consent or certification required, and the name and address of any on-call physician who has refused or failed to appear within a reasonable time to provide necessary stabilizing treatment. Other records (e.g., test results not yet available or historical records not readily available from the hospital's files) must be sent as soon as practicable after transfer and the transfer is effected through qualified personnel and transportation equipment, as required, including the use of necessary and medically appropriate life support measures during the transfer 42 CFR 489.24. Enter Y if copies of the medical record documentation were sent with the patient to the receiving hospital. 5 EMTALA Audit Guide

Emergency Medical Treatment and Active Labor Act (EMTALA) Enter N if copies of the medical record documentation were not sent with the patient to the receiving hospital. Enter N/A if issue is not applicable to the review. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 10. Is there a sign specifying the rights of individuals with emergency conditions and women in labor? The provider agrees, in the case of a hospital as defined in 489.24(b), to post signage conspicuously in any emergency department or in a place or places likely to be noticed by all individuals entering the emergency department, as well as those individuals waiting for examination and treatment in areas other than traditional emergency departments (that is, entrance, admitting area, waiting room, treatment area) a sign (in a form specified by the Secretary) specifying the rights of individuals under section 1867 of the Act with respect to examination and treatment for emergency medical conditions and women in labor 42 CFR 489.20. Enter Y if there is a sign specifying the rights of individuals with emergency conditions and women in labor. Enter N there is not a sign specifying the rights of individuals with emergency conditions and women in labor. Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 11. If sign exists, does the sign indicate that the facility participates in the Medicaid program? The provider agrees to post conspicuously (in a form specified by the Secretary) information indicating whether or not the hospital or rural primary care hospital (e.g., critical access hospital) participates in the Medicaid program under a State plan approved under Title XIX 42 CFR 489.20. Enter Y if the sign indicates that the facility participates in the Medicaid program. Enter N if the sign does not indicates that the facility participates in the Medicaid program. Enter N/A if issue is not applicable to the review. 6 EMTALA Audit Guide

Emergency Medical Treatment and Active Labor Act (EMTALA) Comments Enter any specific concerns, issues, or findings related to the question in the comment field. 7 EMTALA Audit Guide

EMTALA Audit Questions Criteria for EMTALA Review Signage Does the sign specify the rights of individuals with emergency conditions and women in labor who come to the emergency department for health care services? Audit Findings Meets Standard (YES/NO/NA) Comments Does it indicate whether the facility participates in the Medicaid program? Is the wording of the sign clear and in simple terms and language that are understandable by the population served by the hospital? Is the sign posted in a place or places likely to be noticed by all individuals entering the emergency department, as well as those individuals waiting for examination and treatment? On Call List Is there a list of on call physicians? Are the on call physicians listed by name (not group)? Does the on-call list reflect all services offered by the facility? Where is the most current list kept? MSE Are co-pays collected at registration? Is financial information discussed at registration? Is prior authorization obtained from health plans prior to a MSE? Page 1 of 2

EMTALA Audit Questions Criteria for EMTALA Review Medical Staff Bylaws/Hospital Policy/Procedures Audit Findings Meets Standard (YES/NO/NA) Comments Is there language in the MS bylaws that address the requirements of on call physicians? Are there any concerns with physician(s) responding in a timely manner when the ED physician requests the specialist to see the patient? Is there a policy that addresses what should be done if the oncall physician cannot see the patient? Registration Do you have a quick registration process and if so what is the process? (cannot delay exam to gather financial information) Do you have a fast track and if so what is the process? (who screens patient and determines appropriate for fast track?) Education How are new staff educated on EMTALA? Evidence of staff education (physicians, residents, nursing, security, volunteers & registration) Page 2 of 2

For all cases reviewed in Central Log Acct # Patient Name MR# Patient Type Is the Patient on the Central Log? Is there a Discharge Disposition on the Central Log? Does the Discharge Disposition on the Central Log Match the Medical Record Document ation? Review questions if Patient Transferred Is there Certification by the Physician that the Benefits Outweigh the Risks of Transfer? Did the Patient/Legal Representative Consent to the Transfer? Is there Documented Telephone Contact with the Receiving Hospital and Physician to Accept the Transfer of the Patient? Were Copies of the Medical Record Documentation Sent with the Patient to the Receiving Hospital? Is there a discharge disposition documented on the central log? Comments Page 1 of 2

For all cases reviewed in Central Log Acct # Patient Name MR# Patient Type Is the Patient on the Central Log? Is there a Discharge Disposition on the Central Log? Does the Discharge Disposition on the Central Log Match the Medical Record Document ation? Review questions if Patient Transferred Is there Certification by the Physician that the Benefits Outweigh the Risks of Transfer? Did the Patient/Legal Representative Consent to the Transfer? Is there Documented Telephone Contact with the Receiving Hospital and Physician to Accept the Transfer of the Patient? Were Copies of the Medical Record Documentation Sent with the Patient to the Receiving Hospital? Is there a discharge disposition documented on the central log? Comments Page 2 of 2

AUDIT CRITERIA AND METHODOLOGY 1) Computer Screens: Was Protected Health Information (PHI) safeguarded? Methodology: Visit hospital nursing units and clinics to observe if PHI is visible to the public. In order to evaluate the privacy of PHI, computer screens were assessed as to whether they were in a secure location or used screen devices that limit ability to read the screen. White boards were evaluated as to what was listed (should not have full name and diagnosis/phi). Review sign in sheets for presence of diagnosis/reason for visit associated with the name. 2) Was PHI disposed of properly? Is the privacy notice posted in admission areas, clinics, ED and other areas required? Methodology: Visit hospital nursing units and clinics to obtain PHI (including paper, IV bags and medications with labels) was disposed of properly; compare to internal policy requirements regarding shredding, security bins for PHI, etc..observe if the privacy notice is posted if applicable. 3) Was there a standard fax cover letter with a confidentiality statement and were fax machines kept in a secure location? Methodology: Visit hospital nursing units and clinics to observe if fax machines have standard cover letters with a confidentiality statement and evaluate whether fax machines used for receipt of PHI are kept in a secure location. 4) Were patient charts and loose reports on the nursing floors in an area where information could not be easily accessed and viewed? Methodology: Visit hospital nursing units to observe. 5) Were staff aware of the process to verify the identity of individuals requesting their records and/or films prior to release of information? Methodology: The Medical Records and Radiology Departments were visited to validate whether photo identifications were being reviewed and authorization obtained prior to releasing the medical records and/or films (use hospital policy as the guideline) by conducting interviews with staff in each area. 6) Were radiological films burned to CR-ROM limited to a single patient? Methodology: While visiting the Radiology Department, the auditor asks whether CD ROMs are given to patients with their radiological test results. If yes, the auditor requested to view the process on how information is burned onto a CD ROM and to view CD ROMs that were completed and waiting for the patient to pick up. Page 1 of 4

AUDIT CRITERIA AND METHODOLOGY 5) Were staff aware of the process to verify the identify of a person who calls asking for medical information over the telephone prior to release of information? Methodology: The Medical Record Department, Cardiology Research and Oncology Research areas were visited and staff was interviewed to assess how medical information is released over the telephone (if at all) and if there is a validation process. Compare to internal policy requirements. 6) Were staff aware of the process to confirm access was appropriate for employees and physicians when they request to review a medical record? What about records requested for research purposes? Methodology: Staff in the medical records department was interviewed on the process for validating that another employee or physician has the right to access a medical record. Compare to internal policy requirements. Physicians requesting to review medical records on research patients must have IRB approval and bring letters showing they have approval. Compare to internal policy requirements. 7) Were staff aware of the process to prevent PHI from being left on a home answering machine or with an unknown person answering the telephone when a hospital employee calls a patient s house? Methodology: Interview staff in departments such as lab, clinics, research visits, etc. on the process for not leaving PHI on a patient s answering machine or with an unknown person when calling a patient s house to relay test results, and to schedule and/or followup. Compare to internal policy requirements. 8) Was the accounting of disclosure for research participants in which a waiver by the Institutional Review Board from the authorization requirement was granted included on the hospital accounting disclosure log? Methodology: When a research study is performed under a waiver by the IRB from the authorization requirement such as reviews preparatory to research, research on decedents information or other retrospective chart audit studies, any PHI disclosed in those situations must be included on the accounting of disclosures for the covered entity. Review IRB minutes and note where waivers were granted by the IRB. Request the accounting of disclosure on these records. Compare to internal policy requirements. 9) Is there a private room/area for physicians to discuss patient results with family in waiting areas? Methodology: Visit ambulatory surgery units and critical care areas to visit waiting rooms and observe if there are physicians/nurses meeting with family in an area that protects their privacy. Page 2 of 4

AUDIT CRITERIA AND METHODOLOGY 10) Do employees know who the designated privacy officer is and how to contact the officer directly? Methodology: Visit various hospital units and departments. Randomly select employees and ask if they know who the designated privacy officer is at the entity. 11) Incidental Disclosures Methodology: To determine whether or not there are instances of incidental PHI disclosures, ride elevators, walk hallways were walked; and sit in the cafeteria and waiting rooms for a period of time and observe if you can overhear conversations where PHI is disclosed. 12) VIPs (Very Important People) and Need to Know Methodology: Select hospital units and interview staff/management to determine if there is a process by which the staff is notified of VIPs and if anyone from within the organization questions the staff about the patient clinically and how the situation is handled. Compare to internal policy requirements regarding need to know. 13) Security Cameras Methodology: Question the security officer and management as to whether or not there are any security cameras in the hospital that access private patient areas. Determine who can view the information, if it is appropriate and if patients are aware. 14) Authorization to take Newborn Photos and Patient Photos Methodology: Select sample of newborn patients either currently in hospital or discharged and check for the presence of the consent for the newborn to be photographed. Review hospital publications/newsletters for pictures of patients. Visit the public relations department and request the authorization that should be on file for the patient. Compare to internal policy requirements. HIPAA SECURITY AUDIT CRITERIA: 1) Can the auditor access shared drives that contain PHI? Methodology: Audit several hospital departments/nursing units (Emergency Department (ED), Medical Records, Clinical Documentation Specialist (COWs-computers on wheels), Patient Access Services, Radiology Services and Administration). Determine if the shared drives is accessible to departments and/or individuals as appropriate to perform their job responsibilities. In order to evaluate the criteria, computers were audited to assess whether there was access to the shared drives by having employees click on my computer and observing drives where access was granted. Have the employee click on various folders as determined at the time of review. Page 3 of 4

AUDIT CRITERIA AND METHODOLOGY 2) Was EPHI accessible on a shared drive? Methodology: Audit several hospital departments/nursing units. Determine if EPHI is accessible on the shared drives. In order to evaluate the security of EPHI, computers in each area were audited to assess whether the user could access EPHI in folders that were created on the shared drives. 3) Was employee computer access changed and/or terminated upon an employee s transfer to a new position within the hospital or upon termination (voluntary or involuntary) from the hospital? Methodology: Request names of employees who separated from employment (voluntary or involuntary) and transferred into the department. This information can also be requested from Human Resources. Evaluate if their access to computer systems with EPHI was terminated and when. Compare to internal policy requirements Page 4 of 4

Facility/Area Being Reviewed Date of Review: Reviewer: Topic Area Requirement What Determines Compliance? Access/ Amending HIM points of registration Does department have process for responding to Access and Amendment requests? Is there a process in place to flag the medical records of No Information patients (restrictions)? 1. Have policy and procedure available 2. Directs patients to HIM Department 1. Have policy and procedure available Registration 2. Call main hospital number and try to obtain info on no info patient Registration Access Services Is the Notice posted appropriately? 1. In all registration areas, Notice has been posted Do all access/registration points have adequate Registration Registration Accounting for Disclosures 1. Validate supply of Notices Access Services supply of Notices? Is there a follow-up process established when the 1. Have policy and procedure available acknowledgement cannot be obtained at admission Access Services (comatose, emergency, etc.)? 2. Chart audit for presence of consent/acknowledgement Does department have process for tracking disclosures that require accounting? HIPAA Privacy Entity Review Worksheet 1. Have policy and procedure available 2. Know which disclosures require accounting 3. Review all disclosures made by dept. If Compliant, Enter "X" If Not Reviewed, Enter "X" ENTER NOTES AS APPLICABLE 4. Review accounting forms sent to HIM (check w/ HIM if dept. didn t maintain) 5. disclosures requiring accounting should have one in medical record or online 6. Decided how to track (paper v. online) Accounting for Disclosures HIM Does department have process to provide accounting to patients who request it? 1. Disclosure letter contains all required information (dates of disclosures, name of person/entity 2. Disclosure acted on in timely manner (<60 days, plus 30 day extension) 3. If extension was needed, was patient notified? 4. Was first accounting request provided free of charge? 5. Was the accounting to the patient logged as a disclosure that required an accounting? 6. Dept can produce policies/procedures/forms for accounting. Complaints Has the department communicated the process for handling patient privacy complaints? 1. Employee can locate Compliance EthicsLine poster 2. Employee knows who the Privacy Officer is? 1

Topic Area Requirement What Determines Compliance? 1. Is the Minimum Necessary P&P Have the minimum necessary protocols been available and followed? communicated to staff? 2. Are requests for information validated Access (excluding treatment) Forms P&Ps Release Release Release Release Release Release Release Release Release Release HIM HIM Are the appropriate departments informed of how to access and/or order necessary forms? Is there an adequate supply on hand? (includes New consent, consent with restrictions, 1. Review forms that apply to department request for restrictions, Notice, Authorization for Release of Patient Information, Amendment Request and Response, Access Response, Accounting Request, Confidential Communications Request) Is Use and Disclosure of PHI Policy (Release of Information Policy) readily available? What does the department do when it receives a subpoena? Does department know process for responding to subpoenas? Are impacted departments trained on the circumstances under which they can release information to law enforcement? Is a signed authorization filed with the medical record? Were the proper documents obtained to verify identity of patient or legal representative? Is the most current fee schedule for processing records readily available? Is release of information database/log currently maintained? If patient is deceased, have the appropriate documents been obtained (proof of next of kin, power of attorney, proof of executorship, proof of death, etc)? In the case of a minor, has signature of parent (or legal guardian) been verified? Are procedures being followed for allowing patients to revoke authorization to disclose or use protected health information at any time. 2. Ensure adequate supply on hand 3. Employee knows how to access forms on intranet 1. Is the Use and Disclosure of PHI policy available and followed? 1. If subpoena is received does dept release info? 2. If not, what does dept do? 3. If it does, is the subpoena P&P followed? 4. Is an accounting made (if required)? 1. Is the subpoena P&P followed? (refer to the Subpoena flowchart) 2. Is an accounting made (if required)? 1. If subpoena is received does dept release info? 2. If not, what does dept do? 3. If it does, is the subpoena P&P followed? 4. Is an accounting made (if required)? 1. Randomly check authorizations for validity with requirements for a valid authorization 1. Have employee describe steps to verify identity 1. Review fee schedule 1. If yes, review the log for disclosures that may require accounting 2. If no, review the types of disclosures made 1. Review requests of records of deceased patients 2. Review means of obtaining authority, and verifying identity 1. Validate authority of parent to receive information 2. Verify identity of parent 1. Procedures followed for revoking authorization 2. Revocations are communicated to affected areas (review process) If Compliant, Enter "X" If Not Reviewed, Enter "X" ENTER NOTES AS APPLICABLE 2

Topic Area Requirement What Determines Compliance? Physical Privacy Physical Privacy Physical Privacy Physical Privacy Physical Privacy Physical Privacy Physical Privacy Wall space Nursing station Biomedical equipment Patient PHI left on faxes, printers and copiers Chart Access on units Personal Computer Usage 1. Is the notice of privacy practices posted? (for all access services areas) 2. Have all whiteboards and other communication boards been evaluated for compliance? 1. Are sign-in sheets being used appropriately? (cannot contain information about patient's health). Can contain name, sign-in date, sign-in time, and physician to be seen 2. Are patient charts on counters? Should not be on counters where PHI is visible 3. Has the distribution list for OR surgery schedules and other patient information lists been evaluated for appropriateness? 4. Posted copies of surgery schedule or other documents containing PHI? 5. Dictation being done in a private area 6. Telephone calls: monitor what is being said and to whom 1. Placement of equipment: can a patient walk by and see or pick up any PHI? 1. Information on door is limited to the patient's last name (complete information can be located at bed) 2. Conversations regarding patient care being conducted in a private/secure area 1. Placement of fax machine: can a patient walk by and see or pick up faxes on the fax machine? 2. Is PHI left on the fax machine and no one has picked it up? 3. Are the approved fax cover sheets being used? 4. When a fax is sent, how is it sent? Is the phone number keyed in? Is speed dial used? Does the person call to authenticate the receiving party? 5. Shredding bins are located in areas where PHI is discarded. 1. Make sure chart racks in the hallways are locked 2. Make sure all medical records are stored in accordance with dept. policy 3. Where is the p/p? 4. Make sure only authorized staff has access to area to where medical records are stored 1. Placement of PC screen: can a patient walk by and see what is on the screen? If Compliant, Enter "X" If Not Reviewed, Enter "X" ENTER NOTES AS APPLICABLE 3

Topic Area Requirement What Determines Compliance? 2. Are glare screens (what is the correct technical name for this?) attached to monitor? 3. Is PHI visible on the PC screen? 4. Is someone logged on and left the PC unattended? 5. Is PC equipped with automatic log-off? 6. Are passwords being shared? 7. Can any employee/volunteer/student/etc. log-in? Does each person have a unique user ID? 8. Do staff near the PC challenge individuals they do not recognize or may not necessarily have the authority to be in this work area? 9. Does device have removable media that user knows not to remove PHI from PC? 10. Does workstation have a screensaver password? After how many minutes of inactivity does it activate? If Compliant, Enter "X" If Not Reviewed, Enter "X" ENTER NOTES AS APPLICABLE Physical Privacy Physical Privacy Waiting Room windows Hallways 1. Can PHI be heard? 2. Is PHI information being given out? 3. Can PHI be seen? 1. PHI visible when charts are being transported through the facility 2. Vendors / Drug Reps in facility without proper identification and pass 3. Verification of identity being checked Physical Privacy Destruction 4. Failure to stop strangers wandering hospital corridors to check their right to be there 1. Auditing staff knowledge of how to prepare documents for destruction 2. Received proper receipt of boxes for storage 4. Shredding bins are located in areas where PHI is discarded. 5. Appropriate method of destruction was used (PHI only in shredding bins, no biohazard material in trash or shredding bins) Training We provide training to all staff and others who would have access to protected health information. TOTAL READINESS SCORE TOTAL ITEMS REVIEWED MAXIMUM SCORE (Total Items Reviewed minus N/A Items) PERCENT COMPLIANT 1. BLN HIPAA lessons completed by employees? 0 4

Provider-Based Audit Criteria Clinical Services 1. Does the professional staff of the facility have clinical privileges at the main provider? 42 CFR 413.65(d)(2)(i) See question # 2 for documentation requirements. 2. Are the medical staff committees or other professional committees at the main provider responsible for medical activities, including quality assurance, utilization review, and the coordination and integration of services, to the extent practicable, between the facility and the main provider? 42 CFR 413.65(d)(2)(iv) Documentation may include a list of all personnel working at the facility showing their job titles and name of their employer, information as to whether professional staff of the facility have clinical privileges at the main provider, a description of the level of monitoring and oversight of the facility by the main provider as compared to oversight for another departments of the main provider, and a description of the responsibilities and relationships between the medical director of the facility, the chief medical officer of the main provider, and the medical staff committees at the main provider. 3. Are the medical records for patients treated in the facility integrated into a unified retrieval system (or cross-reference) of the main provider? 42 CFR 413.65(d)(2)(v) Documentation may be a copy or description of the policy utilized in record retrieval from both the main provider and the facility. Financial Integration 4. Are the financial operations of the facility fully integrated within the financial system of the main provider, as evidenced by shared income and expenses between the main provider and the facility? Are the costs of the facility reported in a cost center of the main provider, and readily identified in the main provider's trial balance? 42 CFR 413.65(d)(3) Documentation could include a copy of the appropriate section of the main provider's chart of accounts or trial balance that would show the location of the facility's revenues and expenses.

Public Awareness 5. Is the facility held out to the public and other payers as part of the main provider? When patients enter the facility, are they aware that they are entering the main provider and billed accordingly? 42 CFR 413.65(d)(4) Documentation may include examples that show that the facility is clearly identified as part of the main provider (i.e., a shared name, patient registration forms, letterhead, advertisements, signage, Web site). Advertisements that only show the facility to be part of or affiliated with the main provider's network or healthcare system are not sufficient. Control 6. Does the main provider have final responsibility for administrative decisions, final approval for contracts with outside parties, final approval for personnel actions, final responsibility for personnel policies (such as fringe benefits or code of conduct), and final approval for medical staff appointments in the facility? 42 CFR 413.65(e)(1)(iv) Documentation may include a description of who has final approval for administrative decisions, contracts with outside parties, personnel policies, and medical staff appointments for the facility. Administration and Supervision 7. Is the facility operated under the same monitoring and oversight by the provider as any other department of the provider, and operated just as any other department of the provider with regard to supervision and accountability? 42 CFR 413.65(e)(2)(ii) The facility s director or individual responsible for daily operations maintains a reporting relationship with a manager at the main provider that has the same frequency, intensity, and level of accountability that exists in the relationship between the main provider and its existing departments. Documentation may include an organizational chart that includes the main provider and the facility and a written description of the facility director's reporting requirements and accountability procedures for day to day operations. 8. Are the following administrative functions of the facility integrated with those of the main provider: billing services, records, human resources, payroll, employee benefit package, salary structure, and purchasing services? 42 CFR 413.65(e)(2)(iii) Documentation may include a list of the various administrative functions (e.g., billing services, laundry, payroll) at the facility that are integrated with the main provider. Additionally, the provider may include copies of any contracts for administrative functions that are completed under arrangements for the main provider and/or facility.

Location 9. Is the facility located within a 35-mile radius of the campus of the main provider? 42 CFR 413.65(e)(3)(i) Maps or an online service such as Mapquest may be used. The 35-mile radius is measured by actual straight-line distance between the main provider and the facility, not road miles. Coinsurance Notification 10. If a Medicare beneficiary will incur a coinsurance liability for an outpatient visit to the hospital as well as for the physician service, does the facility provide written notice to the beneficiary, before the delivery of services, that the beneficiary will incur a coinsurance liability that he or she would not incur if the facility were not provider-based, an estimate based on typical or average charges for visits to the facility, and a statement that the patient s actual liability will depend upon the actual services furnished by the hospital? 42 CFR 413.65(g)(7)(i) Documentation may include a copy of the form they give to patients and a copy of their policies regarding distribution of the form. Providers may also supply a copy of their policy on EMTALA compliance.

Provider Based Entity Name: Date On or Off-Campus: OFF The Following Elements of Compliance Are Required for Both On and Off-Campus Providers Evident Not Evident Comments Licensure and Accreditation (Entity or department is listed on the pre-survey application) * Licensure by the State * Joint Commission Accreditation Clinical Services * Professional Staff Credentialed at Hospital * Mechanism to Refer Patients to Inpatient and Outpatient Services of Main Provider * Medical Record policy of the main provider addresses integration and retrieval of records at provider based entities * Mechanism exists at main provider to obtain records and relevant information about care in the provider based entity * Quality Improvement Data Collected and Reported through Main Provider Financial Integration Costs are reported in a cost center of the main provider. Public Awareness * Signage clearly identifies that the entity is part of the main provider (not just health system). * Billing statement identifies that the service was provided by the main provider * Brochures and/or letterhead identifies that the entity is part of the main provider Page 1 of 2

Provider Based Entity Name: On or Off-Campus: The Following Elements of Compliance Are Required Off-Campus Providers Co-Insurance Liability Notification Elements: *Written notice delivered prior to the service either to the beneficiary * Readable and understandable by the beneficiary *Notice explains that a co-insurance will be incurred that would not be if the facility were not provider based *Notice estimates the amount of the potential patient liability for the facility fee The Following Elements of Compliance Are Required If Management Contracts Exist *The main provider employs the staff directly involved in patient care *The main provider has significant control over the operations *The administrative functions are integrated *The management contract is held by the main provider itself, not by the parent organization that has control over both Supervision There is evidence of supervision i of services by a physician; check physician schedule Appropriate Place of Service Check Place of Service Billed; Should be "22" for both hospital entity and physician services Evident Not Evident Comments Page 2 of 2